DOCSLIB.ORG

LFSR-Based Stream Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
LFSR-Based Stream Ciphers Chapter 3 LFSR-based Stream Ciphers In order to minimize the size of the internal state, stream ciphers dedicated to low-cost hard- ware implementations may use a linear transition function. Among all such possibilities, linear feedback shift registers (LFSRs) offer several advantages including their performance, their implementation cost and many theoretical results on the statistical properties of the produced sequences. LFSR-based generators are then probably the most commonly studied class of keystream generators. This class includes both hardware-oriented stream ciphers and software-oriented ciphers, but this second type of applications usually relies on non-binary LF- SRs, operating on a larger alphabet (e.g. on 32-bit words). The most widely used LFSR-based stream ciphers include E0 (used in the Bluetooth standard), A5/1 used for encrypting the over- the-air communications in the GSM cellular telephone standard, SNOW 2.0 (ISO/IEC 18033-4 standard) and its variant SNOW 3G used in UMTS 3G networks. In most practical LFSR-based generators used nowadays, the internal state is divided into two parts: one is updated linearly by an LFSR, and the other one is updated with a nonlinear function in order to prevent the main attacks exploiting the linearity of the transition function. This nonlinear part may be small (and seen as a nonlinear memory) as in E0 or SNOW 2.0, or both parts of the internal state may be of equal size, like in MUGI or Grain. 3.1 Main properties of LFSRs 3.1.1 Definitions An LFSR of length L over Fq is a finite state automaton which produces a semi-infinite sequence of elements of Fq, s = (st)t≥0, satisfying a linear recurrence relation of degree L over Fq L X st+L = cist+L−i; 8t ≥ 0 : i=1 The L coefficients c1; : : : ; cL are elements of Fq. They are called the feedback coefficients of the LFSR. The Fibonacci representation of an LFSR of length L over Fq has the form depicted on Figure 3.1. The register consists of L delay cells, called stages, each containing an element of Fq. The contents of the L stages, st; : : : ; st+L−1, form the state of the LFSR. The L stages are initially loaded with L elements, s0; : : : ; sL−1, which can be arbitrary chosen in Fq; they form the initial state of the register. 43 44 Chapter 3. LFSR-based Stream Ciphers st+L -st+L−1 -st+L−2 - ... - st+1 - st - output ? ? ? ? c1 c2 cL−1 cL ? ? ? + + + Figure 3.1: Fibonacci representation of an LFSR of length L. The shift register is controlled by an external clock. At each time unit, each digit is shifted one stage to the right. The content of the rightmost stage st is output. The new content of the leftmost stage is the feedback bit, st+L. It is obtained by a linear combination of the contents of the register stages, where the coefficients of the linear combination are given by the feedback coefficients of the LFSR: L X st+L = cist+L−i : i=1 Therefore, the LFSR implements the linear recurrence relation of degree L: L X st+L = cist+L−i; 8t ≥ 0 : i=1 Example 3.1. A binary LFSR of length 4. Table 3.1 gives the successive states of the binary LFSR of length 4 with feedback coefficients c1 = c2 = 0, c3 = c4 = 1 and with initial state (s0; s1; s2; s3) = (1; 0; 1; 1). This LFSR is depicted in Figure 3.2. It corresponds to the linear recurrence relation st+4 = st+1 + st mod 2 : The output sequence s0s1 ::: generated by this LFSR is 1011100 :::. Figure 3.2: Binary LFSR with feedback coefficients (c1; c2; c3; c4) = (0; 0; 1; 1) - - - - - ? + i Feedback polynomial and characteristic polynomial. The output sequence of an LFSR is uniquely determined by its feedback coefficients and its initial state. The feedback coef- ficients c1; : : : ; cL of an LFSR of length L are usually represented by the LFSR feedback polynomial (or connection polynomial) defined by L X i P (X) = 1 − ciX : i=1 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 45 Table 3.1: Successive states of the LFSR with feedback coefficients (c1; c2; c3; c4) = (0; 0; 1; 1) and with initial state (s0; s1; s2; s3) = (1; 0; 1; 1) t 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 st 1 0 1 1 1 1 0 0 0 1 0 0 1 1 0 1 st+1 0 1 1 1 1 0 0 0 1 0 0 1 1 0 1 0 st+2 1 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 st+3 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 1 Alternatively, one can use the characteristic polynomial, which is the reciprocal polynomial of the feedback polynomial: L ? L L X L−i P (X) = X P (1=X) = X − ciX : i=1 For instance, the feedback polynomial of the binary LFSR shown in Figure 3.2 is P (X) = 1 + X3 + X4 and its characteristic polynomial is P ?(X) = 1 + X + X4. Non-singular LFSRs. An LFSR is said to be non-singular if the degree of its feedback polynomial is equal to the LFSR length (i.e., if the feedback coefficient cL differs from 0). In this case, the transition function of the LFSR is bijective. Any sequence generated by a non-singular LFSR of length L is periodic, and its period does not exceed qL − 1. Indeed, the LFSR has at most qL different states and the all-zero state is always followed by the all-zero state. Moreover, if the LFSR is singular, all generated sequences are ultimately periodic, i.e., the sequences obtained by ignoring a certain number of elements at the beginning are periodic. 3.1.2 Characterization of LFSR output sequences L A given LFSR of length L over Fq can generate q different sequences corresponding to L the q different initial states and these sequences form a vector space over Fq. The set of all sequences generated by an LFSR with feedback polynomial P is characterized by the following property [Zie59]. Theorem 3.1. A sequence (st)t≥0 is generated by an LFSR of length L over Fq with feedback polynomial P if and only if there exists a polynomial Q 2 Fq[X] with deg(Q) < L such that the generating function of (st)t≥0 satisfies X Q(X) s Xt = : t P (X) t≥0 Moreover, the polynomial Q is completely determined by the coefficients of P and by the initial state of the LFSR: L−1 k ! X j X Q(X) = − X skcj−k ; j=0 k=0 PL i where P (X) = − i=0 ciX . 46 Chapter 3. LFSR-based Stream Ciphers Proof. L ! 1 ! 1 0 j 1 X i X t X j X − ciX stX = X @− skcj−kA i=0 t=0 j=0 k=max(0;j−L) L−1 j ! 1 0 j 1 X j X X j X = − X skcj−k + X @ skcj−kA : j=0 k=0 j=L k=j−L Therefore, we deduce that L ! 1 ! X i X t Q(X) = − ciX stX i=0 t=0 is a polynomial of degree strictly less than L if and only if the second right-hand term vanishes, i.e., j X skcj−k = 0 k=j−L for all j ≥ L. This result, which is called the fundamental identity of formal power series of linear re- curring sequences, means that there is a one-to-one correspondence between the sequences generated by an LFSR of length L with feedback polynomial P and the fractions Q(X)=P (X) with deg(Q) < L. It has two major consequences. On the first hand, any sequence generated by an LFSR with feedback polynomial P is also generated by any LFSR whose feedback poly- nomial is a multiple of P . This property is widely used for attacking LFSR-based generators (e.g., in distinguishing attacks, and in fast correlation attacks). It may also be helpful since some multiple of the feedback polynomial may provide more appropriate representations in some contexts. Example 3.2. Let s be a binary sequence satisfying st+6 = st+4 + st+3 + st+1 + st; 8t ≥ 6 : The corresponding feedback polynomial is then P (X) = 1 + X2 + X3 + X5 + X6. It then follows that s also satisfies st+8 = st+7 + st since 1 + X + X8 = (1 + X2 + X3 + X5 + X6)(1 + X + X2). This alternative recursion may then have a lower implementation cost because of its sparsity. On the other hand, Theorem 3.1 implies that a sequence generated by an LFSR with feedback polynomial P is also generated by a shorter LFSR with feedback polynomial P 0 if the corresponding fraction Q(X)=P (X) is such that gcd(P; Q) 6= 1. Thus, amongst all sequences generated by the LFSR with feedback polynomial P , there is one which can be generated by a shorter LFSR if and only if P is not irreducible over Fq. This leads to the following natural notion of minimal polynomial. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 47 Definition 3.2. For any linear recurring sequence (st)t≥0, there exists a unique polynomial P0 with constant term equal to 1, such that the generating function of (st)t≥0 is given by X t stX = Q0(X)=P0(X) t≥0 where P0 and Q0 are relatively prime.
Load more

Recommended publications
  • LNCS 9065, Pp
    Combined Cache Timing Attacks and Template Attacks on Stream Cipher MUGI Shaoyu Du1,4, , Zhenqi Li1, Bin Zhang1,2, and Dongdai Lin3 1 Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, China 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 4 University of Chinese Academy of Sciences, Beijing, China du [email protected] Abstract. The stream cipher MUGI was proposed by Hitachi, Ltd. in 2002 and it was specified as ISO/IEC 18033-4 for keystream genera- tion. Assuming that noise-free cache timing measurements are possible, we give the cryptanalysis of MUGI under the cache attack model. Our simulation results show that we can reduce the computation complexity of recovering all the 1216-bits internal state of MUGI to about O(276) when it is implemented in processors with 64-byte cache line. The at- tack reveals some new inherent weaknesses of MUGI’s structure. The weaknesses can also be used to conduct a noiseless template attack of O(260.51 ) computation complexity to restore the state of MUGI. And then combining these two attacks we can conduct a key-recovery attack on MUGI with about O(230) computation complexity. To the best of our knowledge, it is the first time that the analysis of cache timing attacks and template attacks are applied to full version of MUGI and that these two classes of attacks are combined to attack some cipher.
    [Show full text]
  • High Performance Architecture for LILI-II Stream Cipher
    International Journal of Computer Applications (0975 – 8887) Volume 107 – No 13, December 2014 High Performance Architecture for LILI-II Stream Cipher N. B. Hulle R. D. Kharadkar, Ph.D. S. S. Dorle, Ph.D. GHRIEET, Pune GHRIEET, Pune GHRCE, Nagpur Domkhel Road Domkhel Road Hingana Road Wagholi, Pune Wagholi, Pune Nagpur ABSTRACT cipher. This architecture uses same clock for both LFSRs. It is Proposed work presents high performance architecture for capable of shifting LFSRD content by one to four stages, LILI-II stream cipher. This cipher uses 128 bit key and 128 bit depending on value of function FC in single clock cycle IV for initialization of two LFSR. Proposed architecture uses without losing any data from function FC. single clock for both LFSRs, so this architecture will be useful in high speed communication applications. Presented 2. LILI-II STREAM CIPHER architecture uses four bit shifting of LFSR in single clock LILI-II is synchronous stream cipher developed by A. Clark et D al. in 2002 by removing existing weaknesses of LILI-128 cycle without losing any data items from function FC. Proposed architecture is coded by using VHDL language with stream cipher. It consists of two subsystems, clock controlled CAD tool Xilinx ISE Design Suite 13.2 and targeted hardware subsystem and data generation subsystem as shown in Fig. 1. is Xilinx Virtex5 FPGA having device xc4vlx60, with KEY IV package ff1148. Proposed architecture achieved throughput of 127 128 128 224.7 Mbps at 224.7 MHz frequency. 127 General Terms Hardware implementation of stream ciphers LFSRc LFSRd ... Keywords X0 X126 X0 X1 X96 X122 LILI, Stream cipher, clock controlled, FPGA, LFSR.
    [Show full text]
  • A Uniform Framework for Cryptanalysis of the Bluetooth E0
    1 A Uniform Framework for Cryptanalysis of the Bluetooth E0 Cipher Ophir Levy and Avishai Wool School of Electrical Engineering, Tel Aviv University, Ramat Aviv 69978, ISRAEL. [email protected], [email protected] . Abstract— In this paper we analyze the E0 cipher, which “short key” attacks, that need at most 240 known is the encryption system used in the Bluetooth specification. keystream bits and are applicable in the Bluetooth We suggest a uniform framework for cryptanalysis of the setting; and “long key” attacks, that are applicable only E0 cipher. Our method requires 128 known bits of the if the E0 cipher is used outside the Bluetooth mode of keystream in order to recover the initial state of the LFSRs, operation. which reflects the secret key of this encryption engine. In one setting, our framework reduces to an attack of 1) Short Key Attacks: D. Bleichenbacher has shown D. Bleichenbacher. In another setting, our framework is in [1] that an attacker can guess the content of the equivalent to an attack presented by Fluhrer and Lucks. registers of the three smaller LFSRs and of the E0 − Our best attack can recover the initial state of the LFSRs combiner state registers with a probability of 2 93. Then after solving 286 boolean linear systems of equations, which the attacker can compute the the contents of the largest is roughly equivalent to the results obtained by Fluhrer and LFSR (of length 39 bit) by “reverse engineering” it Lucks. from the outputs of the other LFSRs and the combiner states. This attack requires a total of 128 bits of known I.
    [Show full text]
  • Pseudo-Random Bit Generators Based on Linear-Feedback Shift Registers in a Programmable Device
    184 Measurement Automation Monitoring, Jun. 2016, no. 06, vol. 62, ISSN 2450-2855 Maciej PAROL, Paweł DĄBAL, Ryszard SZPLET MILITARY UNIVERSITY OF TECHNOLOGY, FACULTY OF ELECTRONICS 2 Gen. Sylwestra Kaliskiego, 00-908 Warsaw, Poland Pseudo-random bit generators based on linear-feedback shift registers in a programmable device Abstract known how to construct LFSRs with the maximum period since they correspond to primitive polynomials over the binary field F2. We present the results of comparative study on three pseudo-random bit The N-bit length LFSR with a well-chosen feedback function generators (PRBG) based on various use of linear-feedback shift registers gives the sequence of maximal period (LFSR). The project was focused on implementation and tests of three such PRBG in programmable device Spartan 6, Xilinx. Tests of the designed PRBGs were performed with the use of standard statistical tests =2 . (1) NIST SP800-22. For example, an eight bit LFSR will have 255 states. LFSRs Keywords: pseudo-random bit generators, linear-feedback shift register, generators have good statistical properties, however they have low programmable device. linear complexity equal to their order (only N in considered case), which is the main drawback of primitive LFSRs. They can 1. Introduction be easily reconstructed having a short output segment of length just 2N [4]. In addition, they are very easy for implementation in In dynamically developed domains of information technology programmable devices. Figure 1 presents the structure of a simple and telecommunication, sequences of random generated bits are LFSR-based generator. still more and more required and used. There are two common sources of random bits, i.e.
    [Show full text]
  • Optimizing the Placement of Tap Positions and Guess and Determine
    Optimizing the placement of tap positions and guess and determine cryptanalysis with variable sampling S. Hodˇzi´c, E. Pasalic, and Y. Wei∗† Abstract 1 In this article an optimal selection of tap positions for certain LFSR-based encryption schemes is investigated from both design and cryptanalytic perspective. Two novel algo- rithms towards an optimal selection of tap positions are given which can be satisfactorily used to provide (sub)optimal resistance to some generic cryptanalytic techniques applicable to these schemes. It is demonstrated that certain real-life ciphers (e.g. SOBER-t32, SFINKS and Grain-128), employing some standard criteria for tap selection such as the concept of full difference set, are not fully optimized with respect to these attacks. These standard design criteria are quite insufficient and the proposed algorithms appear to be the only generic method for the purpose of (sub)optimal selection of tap positions. We also extend the framework of a generic cryptanalytic method called Generalized Filter State Guessing Attacks (GFSGA), introduced in [26] as a generalization of the FSGA method, by applying a variable sampling of the keystream bits in order to retrieve as much information about the secret state bits as possible. Two different modes that use a variable sampling of keystream blocks are presented and it is shown that in many cases these modes may outperform the standard GFSGA mode. We also demonstrate the possibility of employing GFSGA-like at- tacks to other design strategies such as NFSR-based ciphers (Grain family for instance) and filter generators outputting a single bit each time the cipher is clocked.
    [Show full text]
  • (SMC) MODULE of RC4 STREAM CIPHER ALGORITHM for Wi-Fi ENCRYPTION
    InternationalINTERNATIONAL Journal of Electronics and JOURNAL Communication OF Engineering ELECTRONICS & Technology (IJECET),AND ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) ISSN 0976 – 6464(Print) IJECET ISSN 0976 – 6472(Online) Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME: http://www.iaeme.com/IJECET.asp © I A E M E Journal Impact Factor (2015): 7.9817 (Calculated by GISI) www.jifactor.com VHDL MODELING OF THE SRAM MODULE AND STATE MACHINE CONTROLLER (SMC) MODULE OF RC4 STREAM CIPHER ALGORITHM FOR Wi-Fi ENCRYPTION Dr.A.M. Bhavikatti 1 Mallikarjun.Mugali 2 1,2Dept of CSE, BKIT, Bhalki, Karnataka State, India ABSTRACT In this paper, VHDL modeling of the SRAM module and State Machine Controller (SMC) module of RC4 stream cipher algorithm for Wi-Fi encryption is proposed. Various individual modules of Wi-Fi security have been designed, verified functionally using VHDL-simulator. In cryptography RC4 is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output key stream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP . Many stream ciphers are based on linear feedback shift registers (LFSRs), which, while efficient in hardware, are less so in software.
    [Show full text]
  • MTH6115 Cryptography 4.1 Fish
    MTH6115 Cryptography Notes 4: Stream ciphers, continued Recall from the last part the definition of a stream cipher: Definition: A stream cipher over an alphabet of q symbols a1;:::;aq requires a key, a random or pseudo-random string of symbols from the alphabet with the same length as the plaintext, and a substitution table, a Latin square of order q (whose entries are symbols from the alphabet, and whose rows and columns are indexed by these symbols). If the plaintext is p = p1 p2 ::: pn and the key is k = k1k2 :::kn, then the ciphertext is z = z1z2 :::zn, where zt = pt ⊕ kt for t = 1;:::;n; the operation ⊕ is defined as follows: ai ⊕a j = ak if and only if the symbol in the row labelled ai and the column labelled a j of the substitution table is ak. We extend the definition of ⊕ to denote this coordinate-wise operation on strings: thus, we write z = p ⊕ k, where p;k;z are the plaintext, key, and ciphertext strings. We also define the operation by the rule that p = z k if z = p ⊕ k; thus, describes the operation of decryption. 4.1 Fish (largely not examinable) A simple improvement of the Vigenere` cipher is to encipher twice using two differ- ent keys k1 and k2. Because of the additive nature of the cipher, this is the same as enciphering with k1 + k2. The advantage is that the length of the new key is the least common multiple of the lengths of k1 and k2. For example, if we encrypt a message once with the key FOXES and again with the key WOLVES, the new key is obtained by encrypting a six-fold repeat of FOXES with a five-fold repeat of WOLVES, namely BCIZWXKLPNJGTSDASPAGQJBWOTZSIK 1 The new key has period 30.
    [Show full text]
  • State Convergence and Keyspace Reduction of the Mixer Stream Cipher
    State convergence and keyspace reduction of the Mixer stream cipher Sui-Guan Teo1, Kenneth Koon-Ho Wong1, Leonie Simpson1;2, and Ed Dawson1 1 Information Security Institute, Queensland University of Technology fsg.teo,kkwong,[email protected] 2 Faculty of Science and Technology, Queensland University of Technology GPO Box 2434, Brisbane Qld 4001, Australia [email protected] Keywords: Stream cipher, initialisation, state convergence, Mixer, LILI, Grain Abstract. This paper presents an analysis of the stream cipher Mixer, a bit-based cipher with structural components similar to the well-known Grain cipher and the LILI family of keystream generators. Mixer uses a 128-bit key and 64-bit IV to initialise a 217-bit internal state. The analysis is focused on the initialisation function of Mixer and shows that there exist multiple key-IV pairs which, after initialisation, produce the same initial state, and consequently will generate the same keystream. Furthermore, if the number of iterations of the state update function performed during initialisation is increased, then the number of distinct initial states that can be obtained decreases. It is also shown that there exist some distinct initial states which produce the same keystream, re- sulting in a further reduction of the effective key space. 1 Introduction Many keystream generators for stream ciphers are based on shift registers, partic- ularly Linear Feedback Shift Registers (LFSRs). Using the output of a regularly- clocked LFSR directly as keystream is cryptographically weak due to the linear properties of LFSR sequences. To mask this linearity, stream cipher designers use LFSRs and introduce non-linearity either explicitly through the use of nonlinear Boolean functions or implicitly through through the use of irregular clocking.
    [Show full text]
  • Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond
    This may be the author’s version of a work that was submitted/accepted for publication in the following source: Henricksen, Matthew& Dawson, Edward (2006) Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond. Lecture Notes in Computer Science, 4058, Article number: AISP52-63. This file was downloaded from: https://eprints.qut.edu.au/24788/ c Consult author(s) regarding copyright matters This work is covered by copyright. Unless the document is being made available under a Creative Commons Licence, you must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the docu- ment is available under a Creative Commons License (or other specified license) then refer to the Licence for details of permitted re-use. It is a condition of access that users recog- nise and abide by the legal requirements associated with these rights. If you believe that this work infringes copyright please provide details by email to [email protected] Notice: Please note that this document may not be the Version of Record (i.e. published version) of the work. Author manuscript versions (as Sub- mitted for peer review or as Accepted for publication after peer review) can be identified by an absence of publisher branding and/or typeset appear- ance. If there is any doubt, please refer to the published source. https://doi.org/10.1007/11780656_5 Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond Matt Henricksen and Ed Dawson Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia.
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]
  • (Not) to Design and Implement Post-Quantum Cryptography
    SoK: How (not) to Design and Implement Post-Quantum Cryptography James Howe1 , Thomas Prest1 , and Daniel Apon2 1 PQShield, Oxford, UK. {james.howe,thomas.prest}@pqshield.com 2 National Institute of Standards and Technology, USA. [email protected] Abstract Post-quantum cryptography has known a Cambrian explo- sion in the last decade. What started as a very theoretical and mathe- matical area has now evolved into a sprawling research ˝eld, complete with side-channel resistant embedded implementations, large scale de- ployment tests and standardization e˙orts. This study systematizes the current state of knowledge on post-quantum cryptography. Compared to existing studies, we adopt a transversal point of view and center our study around three areas: (i) paradigms, (ii) implementation, (iii) deployment. Our point of view allows to cast almost all classical and post-quantum schemes into just a few paradigms. We highlight trends, common methodologies, and pitfalls to look for and recurrent challenges. 1 Introduction Since Shor's discovery of polynomial-time quantum algorithms for the factoring and discrete logarithm problems, researchers have looked at ways to manage the potential advent of large-scale quantum computers, a prospect which has become much more tangible of late. The proposed solutions are cryptographic schemes based on problems assumed to be resistant to quantum computers, such as those related to lattices or hash functions. Post-quantum cryptography (PQC) is an umbrella term that encompasses the design, implementation, and integration of these schemes. This document is a Systematization of Knowledge (SoK) on this diverse and progressive topic. We have made two editorial choices.
    [Show full text]
  • Recovering the MSS-Sequence Via CA
    Procedia Computer Science Volume 80, 2016, Pages 599–606 ICCS 2016. The International Conference on Computational Science Recovering the MSS-sequence via CA Sara D. Cardell1 and Amparo F´uster-Sabater2∗ 1 Instituto de Matem´atica,Estat´ıstica e Computa¸c˜ao Cient´ıfica UNICAMP, Campinas, Brazil [email protected] 2 Instituto de Tecnolog´ıas F´ısicasy de la Informaci´on CSIC, Madrid, Spain [email protected] Abstract A cryptographic sequence generator, the modified self-shrinking generator (MSSG), was re- cently designed as a novel version of the self-shrinking generator. Taking advantage of the cryptographic properties of the irregularly decimated generator class, the MSSG was mainly created to be used in stream cipher applications and hardware implementations. Nevertheless, in this work it is shown that the MSSG output sequence, the so-called modified self-shrunken sequence, is generated as one of the output sequences of a linear model based on Cellular Au- tomata that use rule 60 for their computations. Thus, the linearity of these structures can be advantageous exploited to recover the complete modified self-shrunken sequence from a number of intercepted bits. Keywords: Modified Self-Shrinking Generator, Cellular Automata, Rule 60, Cryptography 1 Introduction Symmetric key ciphers, also known as secret key ciphers [10, 12 ], are characterized by the fact that the same key is used in both encryption and decryption processes. They are commonly classified into block ciphers and stream ciphers. As opposed to block ciphers, in stream ciphers thesymbolsizetobeencryptedequalsthesizeofeachcharacterinthealphabet.Ifweusea binary alphabet, then the encryption is performed bit by bit, that is, every bit in the original message (plaintext) is encrypted separate and independently from the previous or the following bits.
    [Show full text]